iexplore - kernel32.dll crash

[Guest]

A customer brought in an XP Home SP2 machine that was heavily infected with
viruses and scumware. After removing all of it (Norton AV, MS Antispy,
Adaware, Spybot, and Spysweeper all say it is now clean). Hijackthis tends
to confirm this, with all BHOs gone. It now runs quite well, except for IE.

IE 6 will not run at all, except in a special instance. More on that later.
If you try to launch it (homepage = www.msn.com, also tried www.cnn.com), you
get the Internet Explorer has encountered an error... message. Event log
shows "faulting application iexplore.exe version 6.0.2900.2180, faulting
module kernel32.dll version 5.1.2600.2180.

Just to be sure, 3rd party browser extensions are disabled in Internet
Properties - Advanced. The special instance where it actually will launch is
when it is launched by Spysweeper after an install or uninstall, taking you
to Webroot's web page. If you then try to go to any other site, it crashes
the same.

An older version of McAfee antivirus was apparently ineffective at
preventing infection and does not run properly, but since, in their infinite
wisdom, they rely on IE to uninstall, it won't (IE script errors). Sweet.
Unlike Norton, they don't offer nifty little uninstall utilities for such
cases. I am hesitant to wade through the registry as you never know for sure
that you've gotten all the vxds and dlls, and I've seen some strange things
happen when orphans are still active.

Another issue that I thought may have been contributing was that the .net
installation was hammered. After getting past the famous "can't uninstall
because XP thinks it is not installed/can't install because it is already
installed" issue, I got it installed, but it got me wondering if .net
interaction with IE is at the root of this.

Since the online virus scanners seem to require IE/ActiveX to run, I haven't
done any additional scanning for viruses, but it seems to run great and surfs
fine with Firefox.

Since it is running XP SP2, you can't use the trick anymore of setting
ActiveSetup isinstalled = 0 to force a reinstall of IE 6, so I did try a
reinstall of SP2, to no avail.

Any ideas?

 

[Jan Il]

Hi wyocowboy

Removing some types of scumware can leave damaged Winsock keys in the
Registry. In order to correct this problem you should download and run the
programs below that apply to your OS, which should resolve the connection
problem. If you are unable to download these programs from the affected
machine, you can download them from another machine and copy them to a
floppy disk or CD, copy them to the hard drive of your machine, then install
and run them.

LSPFix
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.

and….

Winsock Fix Utility
http://www.dfwonline.net/files/WinsockFix.zip
WinsockXP Fix for XP
http://www.spychecker.com/program/winsockxpfix.html
Also, with instructions, at
http://www.iup.edu/house/resnet/winfix.shtm
Repair Damaged Winsock
http://www.cexx.org/lspfix.htm

also…..

Additional LPS Information:
http://searchwin2000.techtarget.com/sDefinition/0,,sid1_gci213375,00.html
http://searchwin2000.techtarget.com/sDefinition/0,,sid1_gci213376,00.html
http://computercops.biz/LSPs.html
(scroll down the list to the lsp.dll files here)

If this does not resolve the problem, then you should repair of IE:

How to Reinstall or Repair Internet Explorer and Outlook Express in Windows
XP
http://support.microsoft.com/kb/318378/EN-US/
The section
Windows XP and Windows XP SP1: Edit the registry and install Internet
Explorer 6 works on earlier versions of Windows.

Be sure to visit Windows Update site and let it scan for all needed updates
and service packs afterward.

Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Don Varnau]

Hi,
Will IE work from Safe Mode (with network support?) That would indicate that
another program is interfering with IE.

Long shot... Try deleting the Temporary Internet Files folder(s) for other
users from an Administrator login.

This (lengthy) troubleshooting process may help:
276393 - Understanding and Troubleshooting Unrecoverable Errors (Faults) in
Internet Explorer:
http://support.microsoft.com/?kbid=276393

Hope this helps,
Don
[MS MVP- IE/OE]

"wyocowboy" wrote in message
news:[email protected]...

 

[Guest]

Hi wyocowboy

Removing some types of scumware can leave damaged Winsock keys in the
Registry.

Why would this only affect IE and not Firefox?

LSPFix
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.

As I mentioned, I have an internet connection - it works fine with Firefox,
but I did run LSPfix and it only shows the 3 MS files. I also tried the
netsh int ip reset command, but no help. Do the other utilities do something
that netsh does not do?

If this does not resolve the problem, then you should repair of IE:

How to Reinstall or Repair Internet Explorer and Outlook Express in Windows
XP
http://support.microsoft.com/kb/318378/EN-US/
The section
Windows XP and Windows XP SP1: Edit the registry and install Internet
Explorer 6 works on earlier versions of Windows.

If you go back and read my post, I stated that this machine has SP2 on it.
This trick does not work with SP2. The only way that you can resinstall IE6
on XP SP2, whether it was an upgrade or original is to resintall SP2.

One thing that I have discovered in the meantime is that the problem does
not occur if there is no active internet connection - if I unplug the LAN
cable, it does not crash (offline mode).

Another thing I have tried is to run iexplore.exe /rereg, but this did not
help. I did notice that it now tries to detect a proxy even though it is
configured to not do so, and as a result, the crash is now delayed until the
home page site name is resolved and it starts retrieving the page, although
it crashes before displaying it..

I don't know if this was happening before, but if I go into Internet Options
- Connections - LAN Settings, nothing will happen when I click on OK, whether
I change a setting or not. If I click on Cancel it closes the dialog box.

As I stated before, all of this is occuring after reinstalling SP2.

 

[Guest]

Hi,
Will IE work from Safe Mode (with network support?) That would indicate that
another program is interfering with IE.

Nope. It fails the same way.

Long shot... Try deleting the Temporary Internet Files folder(s) for other
users from an Administrator login.

Thanks. I'll try that.

This (lengthy) troubleshooting process may help:
276393 - Understanding and Troubleshooting Unrecoverable Errors (Faults) in
Internet Explorer:
http://support.microsoft.com/?kbid=276393

Thanks. I'll try that.

 

[Guest]

Internet Explorer Full Download Instructions:

1. Download the IE 6.x setup file using this link: ie6setup.exe

2. Place the downloaded setup file here: C:\Downloads (Create this folder if
necessary.)

3. Click Start | Run and type the command below into the Open field, and
then click <OK>

NOTE: Use the EXACT syntax shown below, including the quotation marks.
Copying the text below and pasting it into the Open field is recommended.

"C:\Downloads\ie6setup.exe" /c:"ie6wzd.exe /d /s:""#E"

You will find much more info at:

=======================================
"Imagination...is the irrepressible revolutionist."

Regards, Gary 'Doc' Adams in New Orleans

http://military.accaw.org
~ Read to Learn - Write to Think ~
=======================================

 

[Guest]

Internet Explorer Full Download Instructions:

1. Download the IE 6.x setup file using this link: ie6setup.exe

That is not a link....

2. Place the downloaded setup file here: C:\Downloads (Create this folder if
necessary.)

3. Click Start | Run and type the command below into the Open field, and
then click <OK>

NOTE: Use the EXACT syntax shown below, including the quotation marks.
Copying the text below and pasting it into the Open field is recommended.

"C:\Downloads\ie6setup.exe" /c:"ie6wzd.exe /d /s:""#E"

It says "cannot find "....ie6wzd.exe"

You will find much more info at:

I would if I could logon, but it won't take my Passport login....

 

[PA Bear]

CTLouisiana, one does *not* download IE to reinstall it in WinXP, WinXP SP1
or WinXP SP2. As in many of your other posts to the MS newsgroups, you're
posting inaccurate and possibly dangerous information here.

Should anyone need to reinstall IE in WinXP, they should consult the KB
article which Jan posted earlier in this thread:

How to reinstall or repair Internet Explorer and Outlook Express in Windows
XP:
http://support.microsoft.com/?kbid=318378

You will find much more info at:

Please refrain from posting that link without specifically stating that you
are *not* an MS MVP. You're misleading people by doing otherwise.

 

[Guest]

3. Click Start | Run and type the command below into the Open field, and
then click <OK>

NOTE: Use the EXACT syntax shown below, including the quotation marks.
Copying the text below and pasting it into the Open field is recommended.

"C:\Downloads\ie6setup.exe" /c:"ie6wzd.exe /d /s:""#E"

Ok, I figured out the syntax by running from a cmd window. It gets to the
point that it is determiming the available download sites and then it
crashes, apparently at the same stage that IE crashes - when it is resolving
the website name(s). After clicking "Don't send" the system did a soft
restart. Neato.

After running this, I realized that it was just going to download the
complete IE6 SP1 pkg, which I already have on CD. BTW, the other trick to
downloading the complete pkg for Win2k/XP is to run ie6setup from a win98
machine. You can then specify the entire pkg, and which OS (the old custom
install...)

Anyways, all this is a complete waste of time because it still comes back
with the lame "a newer version of IE is already installed" even if you first
go in and set the IE activesetup isinstalled key to 0. Doesn't matter if you
are trying to install from the complete pkg or not, once you have SP2
installed, the only way to reinstall IE6 is to reinstall SP2, this from much
googling. If the MVPs don't know this, they should, and should be bugging the
developers to fix this...

So, here is the major new clue...

After finding out that both IE and IE setup are crashing when they go to
resolve URLs, I plugged the IP address of 207.68.173.254 instead of
www.msn.com into the Internet Options home page field and voila, it pulled up
the website without crashing. I can navigate to any website I want, as long
as I use the IP address.

It is obtaining all IP info via DHCP, and the DNS server addresses are the
correct ones for this ISP. Remember, Firefox works fine...

 

[PA Bear]

...If the MVPs don't know this, they should,

and should be bugging the developers to fix this...

Despite the implications of his posts, CTLouisiana is *not* an MS MVP,
Cowboy.

 

[Guest]

Just to make sure this important bit does not get lost, here it is again...

So, here is the major new clue...

After finding out that both IE and IE setup are crashing when they go to
resolve URLs, I plugged the IP address of 207.68.173.254 instead of
www.msn.com into the Internet Options home page field and voila, it pulled up
the website without crashing. I can navigate to any website I want, as long
as I use the IP address.

It is obtaining all IP info via DHCP, and the DNS server addresses are the
correct ones for this ISP. Remember, Firefox works fine...

 

[PA Bear]

Firefox works fine because it's not a part of Windows. IE is.

While assigning www.msn.com or even www.my.msn.com as IE homepage has proven
problematic for many users, your overall problems may be caused by
hijackware.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/darnit.html
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/

 

[Guest]

All info is just as yours - it may be perfect and it may be not kinda like
this;

It sounds like GL CS 2 (whatever that is) isn't WinXP SP2-compatible (yet).

Golive CS works. CS2 is the problem [maybe].

And by complete dumb luck. ie6 CAN be installed from the XP install disk.
just
auto run, and choose additional items. You have to 1st remove it then
reinstall
it.

Will not work in WinXP.

 

[Guest]

Firefox works fine because it's not a part of Windows. IE is.

Unfortunately, yes.

While assigning www.msn.com or even www.my.msn.com as IE homepage has proven
problematic for many users, your overall problems may be caused by
hijackware.

Assigning www.cnn.com as the home page gets the same results, so it is not
an MSN-sensitive issue.

Did you miss my first post? This customer's machine was heavily infested
with viruses and scumware. Four different spyware scanners, including MS, say
it is now clean. I also went through it manually (I remove it for a living,
and have disinfected at least a few hundred machines). Most of the time, I
can completely kill/cripple scumware on even the most heavily infested
machines within 1-1/2hr max, even with multiple user accounts.

Besides, if it was still infected, I would likely be getting popups or MS
A/S would be advising that something is trying to install, and none of that
is happening.

If there is an LSP that is still intercepting DNS requests only for IE (not
sure that is possible), it does not show up in lspfix. It smells like there
is an IE registry key that is pointing to a DNS hook that is no longer there,
a registry key that does not get reset by reinstalling SP2. The funny thing
is that it crashes after it resolves the name, just at the point that it
would start displaying the page.

 

[PA Bear]

Post any all followup to your thread in Aumha Forums, please, Cowboy.
There's some serious weirdness on that machine that reinstalling IE is not
going to address:

http://aumha.net/viewtopic.php?t=14058

 

[Robert Aldwinckle]

....

After running this, I realized that it was just going to download the
complete IE6 SP1 pkg, which I already have on CD. BTW, the other trick to
downloading the complete pkg for Win2k/XP is to run ie6setup from a win98
machine. You can then specify the entire pkg, and which OS (the old custom
install...)

Anyways, all this is a complete waste of time because it still comes back
with the lame "a newer version of IE is already installed" even if you first
go in and set the IE activesetup isinstalled key to 0. Doesn't matter if you
are trying to install from the complete pkg or not, once you have SP2
installed, the only way to reinstall IE6 is to reinstall SP2, this from much
googling. If the MVPs don't know this, they should, and should be bugging the
developers to fix this...

Think about what you are trying to do and it will make more sense.

XP contains IE6 as a built-in base.
IE6sp1 can be installed separately in XP.
XPsp1 contains IE6sp1 (which supersedes even IE6sp1)
XPsp2 contains "IE6sp2" (which is not available separately and is just
a convenient way of referring to the browser functionality built in to XPsp2)

Therefore, if you wanted to install IE6sp1 "normally" you would need to
uninstall both XPsp2 and XPsp1 in order to get the installed version of IE below
the version you were trying to install.

This is very likely a waste of time because by uninstalling XPsp2
in a sense you "reinstall" IE6sp1 (i.e. by reverting to XPsp1).


The only thing that I would like to bug the developers to fix is the lack of
a usable repair tool for most users. E.g. only if you installed IE6sp1
separately would you have setupwbv.dll Its Repair function still works
from the Run... dialog, if you have it:
rundll32 setupwbv.dll,IE6Maintenance
and would be far superior to all the hit or miss regsvr32 commands
we have to offer as weak alternatives.


FYI

Robert Aldwinckle
---

 

[Robert Aldwinckle]

....

get the Internet Explorer has encountered an error... message. Event log
shows "faulting application iexplore.exe version 6.0.2900.2180, faulting
module kernel32.dll version 5.1.2600.2180.

I'm not clear from your web forum log if you are still crashing or not?

http://aumha.net/viewtopic.php?t=14058


In any case, if you have a drwtsn32.log dump of the crash you should look at its
Stack Back Trace of the crashing task for clues. I strongly suspect that the origin
of your crash will be in a *caller* to the routine where the crash occurs.
Also, be aware that sometimes there are even clues in the eyecatcher portion
of the following section of the drwtsn32.log, the Raw Stack Dump.
E.g. readable items in there may lead you directly to a relevant factor
which would be involved in your symptoms. Also, you might get a much more
readable trace if you have access to the appropriate symbol files
(e.g. provided you can figure out how to use the new "Symbol Server Technology"
http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx
or otherwise have access to them.)

As for how LSP works, more particularly how the bad guys exploit it,
I think that most of us are completely in the dark about that.
Have you tried the new XPsp2-only netsh winsock commands yet?

netsh winsock ?

Note in particular these options:

netsh winsock show catalog type=full

(FWIW I only have types BSP and NSP, no LSP. It might be useful to capture the list
and compare with one from another system which you think is healthier.)

netsh winsock reset ?

Usage: reset

Remarks: Resets Winsock Catalog to a clean state.
All Winsock Layered Service Providers which were previously
installed must be reinstalled.
This command does not affect Winsock Name Space Provider
entries.

So, this help suggests that if your NSP entries are different,
more particularly if they are a significant cause of your symptoms,
then even a reset command won't help change them.

Another opportunity for misuse which could cause your peculiar symptoms
are (I assume) ipsec packet filters. XP Support Tools has a command
which can show if any are in use apparently. Excerpt from a previous post:

<excerpt>

ipseccmd show filters

(ipseccmd is on the XP Pro Support Tools)


BTW you may get better suggestions in a newsgroup
which specializes in networking for your OS.
</excerpt>


Also notice that similar bizarre symptoms occur which are attributed to otherwise
reputable add-ons such as the Google search bar. So, given the number of third-party
programs which you show in your HJT log, I would wonder if some of them might
not perhaps have something to do with your symptom even if they aren't classed
as "malware". E.g. have you tried creating a clean boot to reproduce your symptoms with?


BTW in order to check on whether XPsp2 is installed using appwiz.cpl
it may actually be easier to *uncheck* show updates.
At least on my system Windows XP Service Pack 2 then is clearly evident
at the bottom of a (much smaller) list. YMMV.
Also, I think it may help if you explain exactly what you mean by
"reinstall XPsp2". In the past misusing service packs has been known
to cause unusual symptoms such as you seem to be exhibiting there
(though so far none that I am aware of with XP).


HTH

Robert Aldwinckle
---

A customer brought in an XP Home SP2 machine that was heavily infected with
viruses and scumware. After removing all of it (Norton AV, MS Antispy,
Adaware, Spybot, and Spysweeper all say it is now clean). Hijackthis tends
to confirm this, with all BHOs gone. It now runs quite well, except for IE.

IE 6 will not run at all, except in a special instance. More on that later.
If you try to launch it (homepage = www.msn.com, also tried www.cnn.com), you
get the Internet Explorer has encountered an error... message. Event log
shows "faulting application iexplore.exe version 6.0.2900.2180, faulting
module kernel32.dll version 5.1.2600.2180.

Just to be sure, 3rd party browser extensions are disabled in Internet
Properties - Advanced. The special instance where it actually will launch is
when it is launched by Spysweeper after an install or uninstall, taking you
to Webroot's web page. If you then try to go to any other site, it crashes
the same.

....